From owner-freebsd-current@freebsd.org Fri Mar 23 15:58:29 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A6E7F5417A; Fri, 23 Mar 2018 15:58:29 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7BD27B703; Fri, 23 Mar 2018 15:58:25 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 0C59728469; Fri, 23 Mar 2018 16:58:24 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id EEA8928462; Fri, 23 Mar 2018 16:58:22 +0100 (CET) Subject: Re: two NIC's in a jail To: Joerg Surmann , FreeBSD-Jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-current@freebsd.org Message-ID: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> Date: Fri, 23 Mar 2018 16:58:22 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:58:29 -0000 Joerg Surmann wrote on 2018/03/23 16:45: > Thanks for replay. > > netstat -an | egrep 'tcp4.*80 .*LISTEN' > say: > netstat: kvm not available: /dev/mem No such file or directory <- is > inside a jail. > tcp4    0        0 *.80        *.*        LISTEN > > grep -i Listen /usr/local/etc/apache24/httpd.conf > > Listen 80 > Listen 443 > > From the internal IP is no Problem. > You are right. I'm not sure on wich IP's Apache is listening. > > I have change the Listen directive to the external IP in httpd.conf > Listen 213.70.80.92:80 > > netstat -an | egrep 'tcp4.*80 .*LISTEN' > now say: > tcp4    0        0  213.70.80.92:80        *.*        LISTEN > > But apache is not availble from Internet. > From Intranet... no Problem. > > When i use tcpdump on Host i can see Traffic. > > Whats wrong? That's strange. Listen 80 and Listen 443 is OK, it is the same as Listen *:80 Listen *:443 and as you see with netstat, Apache was listening on both IPs: *.80 *.* LISTEN Do you have something listening on port 80 in the Host? What netstat shows in the host? Also check Apache log files. If you didn't configure virtual host, then you have just these two log files: /var/log/httpd-access.log /var/log/httpd-error.log Use tail and then try to access your website from the internet # tail -f /var/log/httpd-*.log Please send what "jls -v" in the Host will show you. (there should be 2 IPs for your jail) or "jls -s" (replace any sensitive informations if you want) And move this discussion to proper mailing list: freebsd-jail@FreeBSD.org Miroslav Lachman > Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: >> Joerg Surmann wrote on 2018/03/23 13:49: >>> Hi all, >>> >>> I have a Problem to understund how to manage 2 Networks inside a Jail. >>> >>> i have create a jail (using ezjail) with a alias IP. >>> in rc.conf (on Host): >>> >>> ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0" >>> ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"  <- this >>> is the jail ip >>> >>> Inside the jail running apachhe24. >>> >>> Now i add a new NIC to the System. >>> in rc.conf (on Host): >>> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0" >>> >>> in /usr/local/etc/ezjail/myjail.conf: >>> i add the new ip >>> export jail_myjail_ip="192.168.100.2,213.70.80.92" >>> >>> Restart the jail and ifconfig looks fine. >>> vmx0 -> inet 192.168.100.2 >>> em0  -> inet 213.70.80.92 >>> >>> Apache Listen on all NIC's () >>> But i can see my Website only via 192.168.100.2 from intern Network. >>> >>> The Host is behind a Firewall. >>> The IP  213.70.80.92 is enabled for incomming Traffic. >>> >>> When i give the Hostname in a Browser i become "connection Timeout". >>> >>> What is to do that the Host is accessable from Inet? >> >> Are you sure Apache is listening on both IPs? >> >> What netstat says? >> >> # netstat -an | egrep 'tcp4.*80 .*LISTEN' >> >> Also check what you have in httpd.conf for Listen directive >> >> # grep -i Listen /usr/local/etc/apache24/httpd.conf >> >> I am not using ezjail, I am using jail.conf >> >> costa { >>         host.hostname   = "costa.example.com"; >>         ip4.addr        = AA.BB.CCC.DDD; >>         ip4.addr       += 192.168.222.57; >> } >> >> Real IP was replaced with AA.BB.CCC.DDD >> >> And it works. Services inside jail must be listening on both IPs or >> wildcard * (0.0.0.0) >> >> And be sure to disable hosts services to listen on IPs and ports you >> want to be served from jail.